Put your trust in knowing untrusted certificate authorities

By Brian Robinson

Mar 24, 2016

Confidence in browsing the web or conducting online transactions depends on the veracity of digital certificates that are issued by certificate authorities (CAs) to help ensure secure Internet connections. While it’s important to know which CAs can be trusted, Google has started to maintain a list of untrusted CAs, which it’s calling Submariner.

The company’s logs initially included just browser-trusted CAs, but Google wanted to include CAs that were once trusted and have since been withdrawn from root programs, as well as new CAs that are on the path to inclusion in browser trusted roots. The company believes these CAs’ activities are still useful to keep track of.

Submariner will provide a public record of certificates that are not accepted by existing Google-operated logs. Google also wants third parties to suggest additional roots for potential inclusion in Submariner.

Both the good and bad of CAs have been on display the last year. A site launched in December, called Let’s Encrypt, allows webmasters to easily obtain free and automated HTTPS certificates. There have also been misused and compromised CAs, including Google having to block fraudulent certificates it found in Chrome. So having a place that people can check to see what’s happening on the untrusted side of CAs is a good balance.